I am a graphic designer getting thrown into the website stuff. So please excuse any ignorance on my part. I am learning, but not hugely code savvy.
My boss has a website that was infected with malware after a successful brute force attack on his site. His hosting company helped me clean it up and had me install the Wordfence plugin on the site to help protect the login page. It has been working as far as I can tell. The problem I am running into now is that it also blocks Shipstation’s automations. Reading the docs it looks like I can whitelist IP addresses, but not hostnames. I can’t use both of these plugins at the same time.
Does anyone have a Wordfence alternative that would work with Shipstation? Bonus points if it is free.
Contact WF via their support forum on WordPress.org. I doubt your site was hacked via brute force – those don’t happen in the real world. 99% of the time it’s because a vulnerable plugin was being used.
Despite frequent claims to the contrary, brute force attacks against login pages are not happening. There are malicious login attempts against WordPress websites, but those involve dictionary attacks and possibly attacks involving reused passwords. The solution to those situations is to use a strong and unique password. So no security plugin is needed to protect against that, so you can just remove Wordfence Security if that is all you are using a security plugin to protect against. If you need some other protection, there are likely better options than that plugin.
WordFence has a learning mode that will allow you to train it that these requests should be allowed. You can train it by following these steps:
1. Go to the WordPress Dashboard > WordFence > Firewall and click Manage Firewall
2. Under Basic Firewall Options > Web Application Firewall Status, change the status to Learning Mode and click Save Changes
3. Now perform the actions that were being blocked by WordFence. This will help WordFence learn that these are normal actions and should be allowed.
4. Go back to WordPress Dashboard > WordFence > Firewall and click Manage Firewall again
5. Under Basic Firewall Options > Web Application Firewall Status, change the status back to Enabled and Protecting and click Save Changes
Test that the actions that WordFence was previously blocking are now being allowed
WordFence may act differently if you are logged in as an administrator on the site instead of viewing the site as a normal visitor. To ensure you are testing how your site will work for a normal visitor, make sure you are not logged in or you are viewing the page in an Incognito or Private window.